|
With the introduction of the 'pim-use-sdwan' option, FortiGate can leverage SD-WAN for PIM (Protocol Independent Multicast) operations, including the verification of RP (Rendezvous Point) neighbors and the transmission of multicast packets. SD-WAN rules can now steer multicast traffic.
When an SD-WAN member is out of SLA, multicast traffic can fail over to another SD-WAN member and switch back when SLA recovers.
CLI Configuration:
config router multicast
set multicast-routing enable
config pim-sm-global
set pim-use-sdwan enable
config rp-address
edit 1
set ip-address 172.17.0.1
next
end
end
config system interface
edit "port1"
set pim-mode sparse-mode
config igmp
set version 2
end
set dr-priority 2
next
edit "vpn1"
set pim-mode sparse-mode
config igmp
set version 2
end
set dr-priority 2
next
end
end
In specific scenarios, particularly when multiple SD-WAN zones exist on the FortiGate with Internet circuits as members of 'Internet SD-WAN Zone' and VPN tunnels as members of 'VPN SD-WAN Zone', there is a possibility that Multicast PIM traffic may be routed incorrectly via the Internet circuits instead of the intended VPN tunnels.
In the above topology, FGT-A is acting as a Receiver DR, and FGT-B is the Source DR.
This is primarily because the SD-WAN rules prioritizing Internet-bound traffic are at the top of the rule sequence.
As a result, when a Multicast client requests a multicast stream through IGMP JOIN, FortiGate (acting as Receiver DR) will refrain from transmitting the PIM JOIN as dictated by the SDWAN rule because there is no PIM neighborship established over the interfaces of the Internet SD-WAN zone.
FGT-BurnabyDot9 (root) # diagnose ip router pim-sm all enable
Debug messages will be on for 30 minutes.
FGT-BurnabyDot9 (root) # diagnose ip router pim-sm level info
Debug messages will be on for 30 minutes.
FGT-BurnabyDot9 (root) # diagnose debug enable
The RPF (Reverse Path Forwarding) neighbor in PIM Sparse Mode is the next-hop router toward the multicast source or RP (Rendezvous Point) as determined by the unicast routing table. It is used to ensure multicast traffic flows along the correct source-based path, preventing loops and duplication by verifying that multicast packets are sent/received on the interface leading to the RPF neighbor. In this example, the interfaces facing the RP/Source DR are VPN tunnels that have PIM neighborship established.
Solution:
Set up an SD-WAN rule with the following parameters:
On the GUI, go to Network -> SDWAN -> SDWAN Rules.
Source Subnet: 'all, (Note: Source Subnet must be designated as 'all' and cannot be set to any specific subnet).
Destination Subnet: '172.17.0.1/32' (RP IP Address).
Protocol: '103' (PIM).
Members: VPN Tunnel Interfaces, since the PIM neighborship and RP are across the IPSec VPN Tunnels.
And ensure to position it at the top of the SD-WAN rule list.
CLI Configuration:
config system sdwan
set status enable
config zone
edit "Internet-sdwan"
next
edit "vpn-sdwan"
next
end
config members
edit 1
set interface "wan1"
set zone "Internet-sdwan"
set gateway 172.218.187.112
next
edit 2
set interface "wan2"
set zone "Internet-sdwan"
set gateway 208.91.115.10
next
edit 3
set interface "vpn1"
set zone "vpn-sdwan"
next
edit 4
set interface "vpn2"
set zone "vpn-sdwan"
next
end
config service
edit 3 <----- Place the Multicast SD-WAN Rule at the Top of the Sequence.
set name "Multicast-SDWAN"
set protocol 103
set dst "172.17.0.1/32"
set src "all"
set priority-members 3 4 (VPN Tunnel Interfaces)
set priority-zone "vpn-sdwan"
next
edit 2
set name "LANtoVPN"
set dst "10.10.76.3/32" "10.10.77.0/24" "10.10.78.0/24"
set src "10.10.9.0/24"
set priority-members 3 4
set priority-zone "vpn-sdwan"
next
edit 1
set name "LANtoWAN"
set mode priority
set dst "all"
set src "all"
set health-check "google.com"
set link-cost-factor packet-loss
set priority-members 1 2
set priority-zone "dot9-sdwan"
next
end
end
|
